Last week the Court of Appeal handed down a significant judgment in the case of WM Morrison Supermarkets plc v Various Claimants.
The Court of Appeal upheld the decision of the High Court that Morrisons was vicariously liable for a data breach caused by a rogue employee.
In 2014, Mr Skelton, a senior IT auditor (who had a grudge against his employer following disciplinary action the year before), published personal and confidential information of almost 100,000 Morrisons employees on the internet; the information was also sent to three newspapers.
Mr Skelton’s role involved the receiving, storing and disclosing of payroll data to auditors. However, the breach occurred when he published personal data from his home, on his personal computer and outside of working hours.
Over 5,500 employees brought claims against Morrisons for damages for misuse of private information and breach of confidence.
The Court of Appeal agreed that what happened was a ”seamless and continuous sequence of events” and was within the field of activities assigned to Mr Skelton by Morrisons.
What is novel about this case is that it is the first reported case in which the motive of the employee was to deliberately harm the employer, rather than for any personal gain.
The Court of Appeal was not persuaded by the argument that a finding of vicarious liability in this case would result in ‘Doomsday’ or ‘Armageddon’ for employers. The Court of Appeal recognised that data breaches may, depending on the circumstances, lead to a large number of claims against companies for potentially ruinous amounts. However, it observed that a solution would be for employers to insure against catastrophes, and losses caused by dishonest or malicious employees.
It is understood that Morrisons intend to seek leave to appeal to the Supreme Court.
Mr Skelton was sentenced to 8 years imprisonment in July 2015 for his actions.
If you have any questions on employment law or data protection please contact Selene Holden (firstname.lastname@example.org ~ 01284 717436), Greg Jones (email@example.com ~ 01284 717446) or Angharad Ellis Owen (firstname.lastname@example.org ~ 01284 717453).